We're sorry Aspose doesn't work properply without JavaScript enabled.

Free Support Forum - aspose.com

How to remove INCLUDETEXT or INCLUDEPICTURE Fields from document using C#

Doing Mailmerge with Aspose.Words C#, a penetration test result suggested to forbid the using of fields like INCLUDETEXT or INCLUDEPICTURE that possibly allow to steal the content of local files (e.g. INCLUDETEXT("c:\windows\system32\drivers\etc\hosts")).

Is there a way to prevent the mail merge engine to prevent such unwanted local file access scenarios by e.g.:

  • Giving me a central handler that is called before accessing a local file?
  • Some way to find all such fields and remove them?

I came up with this solution for now:

public static Document RemoveDangerousFields(this Document @this)
{
    var remover = new FieldDangerousRemover();
    @this.Accept(remover);

    return @this;
}

private sealed class FieldDangerousRemover : DocumentVisitor
{
    public override VisitorAction VisitFieldEnd(FieldEnd fieldEnd)
    {
        if (fieldEnd.FieldType == FieldType.FieldIncludeText ||
            fieldEnd.FieldType == FieldType.FieldIncludePicture /*||
            fieldEnd.FieldType == FieldType.FieldInclude*/)
        {
            fieldEnd.GetField().Remove();
        }

        return VisitorAction.Continue;
    }
}

This is based on this documentation.

Does my solution look suitable? Are there any more fields?

@Uwe_Keim

Yes, your understanding and code is correct. You can use this code to achieve our requirement. Please feel free to ask if you have any question about Aspose.Words, we will be happy to help you.

1 Like